Politecnico di Torino Porto Institutional Repository [Proceeding] Offloading Personal Security Applications to a Secure and Trusted Network Node Original Citation: Bonafiglia R., Ciaccia F., Lioy A., Nemirovsky M., Risso F., Su T. Offloading Personal Security Applications to a Secure and Trusted Network Node. In: First IEEE Conference on Network Softwarization (Netsoft 2015), London, UK, 13-17 April 2015. (In Press) Availability: This version is available at : http://porto.polito.it/2594969/ since: March 2015 Publisher: IEEE Terms of use: This article is made available under terms and conditions applicable to Open Access Policy Article ("Public - All rights reserved") , as described at http://porto.polito.it/terms_and_conditions. html Porto, the institutional repository of the Politecnico di Torino, is provided by the University Library and the IT-Services. The aim is to enable open access to all the world. Please share with us how this access benefits you. Your story matters. (Article begins on next page) Offloading personal security applications to a secure and trusted network node R. Bonafiglia§ , F. Ciaccia¶ , A. Lioy§ , M. Nemirovsky‡‡ , F. Risso§ , T. Su§ § Politecnico di Torino, Dip. Automatica e Informatica, Italy Supercomputing Center (BSC), Spain ‡‡ ICREA Researcher Professor at Barcelona Supercomputing Center (BSC), Spain ¶ Barcelona Abstract—The current device-centric protection model against security threats has serious limitations from the final user perspective, among the other the necessity to keep each device updated with the latest security updates and the necessity to replicate all the security polices across all devices. In our model, the protection is decoupled from the users terminals and it is provided through a Trusted Virtual Domain (TVD) instantiated in future edge routers. Each TVD provides unified and homogeneous security for a single user, irrespective of the terminal employed. This paper shows a first prototype implementing this concept through a network element, called Network Edge Device, capable of running the proposed virtualized architecture and making extensive use of SDN technologies, with the aim at providing a uniform security level for the final user. I. I NTRODUCTION Today’s classical approach to the security of personal devices requires the installation of security software directly on the devices that need to be protected. With a growing number of user terminals (laptops, smartphones, smart TVs, and more), keeping all those devices protected has become a challenge; achieving a uniform level of security across all of them would be even harder. In fact, each device needs to be configured with the proper security policies, while security patches (e.g. related to the operating system and/or the installed software) needs to be readily applied. However, this may not always be possible, as some devices (e.g. smart TVs) may not support the desired set of security properties, or security patches may not be promptly released by the software manufacturer1 . The above problems can be mitigated by processing all the network traffic in a security device operating close to the user, possibly integrated in an home gateway or an edge router. In a nutshell, we propose to offload security to a personal Trusted Virtual Domain (TVD) running in an Network Edge Device (NED), in charge of executing all the user’s security applications on the network traffic, regardless of the personal device in use, thus reaching uniform network protection. This paper introduces the main architectural components of the NED, followed by a description of a prototype developed based on the above architecture; finally a demonstration scenario of the prototype is presented. II. A RCHITECTURE A. The TVD The Trusted Virtual Domain is the main component of this architecture: it is a logical container of all the user network security. Each security control processes exclusively the traffic of a single user, thus is called a Personal Security Application (PSA). It runs in an Execution Environment (EE); the EE is a placeholder for the PSA execution which should be adequately separated from other users’ environment, guaranteeing traffic isolation. Multiple PSAs for the same user can run in the same EE in cascade. PSAs behaviour is monitored by another component, the Personal Security Controller (PSC) which is also in charge of configuring PSAs at startup time; the PSC runs in a separate EE. The TVD is Trusted as all the components (hardware and software) are being attested following the principles of Trusted Computing [1]. In this way is possible to verify that the software running on the NED is not tampered according to some golden measurements. B. The TVD Manager The TVD Manager (TVDM) is the architecture Orchestration and Management component. Once the user is authenticated in the system, the TVDM deals with the requests to instantiate a new TVD by determining the resources required for its allocation and then commanding the deployment. The TVDM performs an analysis of the required virtualization technology and the management of the network topology (physical and virtual) to support the deployment of the whole user’s Service Graph (SG). The SG is the formalism that describes the service requested by the user and it is, in its simplest form, a set of cascaded PSAs active on the user’s traffic. The SG is defined as the superposition of two directed graphs in which nodes represent the PSAs and arcs represent the flow of the traffic between two nodes. Arcs can be labelled with a set of packet filtering rules (e.g. OpenFlow Flowmods) that select which traffic has to flow through that arc in that direction. The TVDM is in charge of translating this abstract model into actual flow rules to be pushed in the virtual switches, thus acting as an OpenFlow controller. C. The PSC Manager 1 It is worth mentioning that some versions of mainstream operating systems, such as Android, Apple IOS or Microsoft Windows, are no longer covered by the proper security patches, although their penetration in the market is still far from marginal. The PSC Manager (PSCM) is the front-end component of the architecture; it includes the NED Authentication system which can be implemented either locally or using an external authentication infrastructure (AAA+, OAuth, OpenID...). The PSCM grants an authentication token used by the rest of the infrastructure components to identify the user. D. Network topology Users connect to the NED with a secure channel (it can be an Ethernet cable, a WiFi encrypted channel or even a remote encrypted connection, e.g. a VPN using IPsec). Internally the NED presents two separate networks: the data plane network and the control and management network. Their means is to separate the user traffic (data plane) from the traffic generated by the infrastructure components for management and monitoring. The two networks are managed by two virtual switches. The Data Plane switch forwards all the users’ traffic; isolation of flows is guaranteed by fine-tuned rules in the switch which allows for traffic steering towards, and only to, the user’s TVD. Fig. 1. A NED managing a multi-tenant scenario with different security policies enforced III. T HE PROTOTYPE A pure software prototype of this architecture has been developed in the context of the SECURED European project [2]. The prototype relies on customized Virtual Machines as Execution Environment for both PSAs and PSC. The host is running a Fedora Linux distribution with the KVM hypervisor together with QEMU. The NED software is running on commodity hardware (x86 Intel CPU, 8GB RAM, 1Gbit/s NIC with 2 ports). The development of the NED components leveraged on fast prototyping tools (e.g. Python language) and clean API interfaces (RESTful services). To conduct Remote Attestation an external Third Party Verifier hosting the golden measurements and attesting the NED trustability is needed. The Verifier software has been developed and deployed on a different machine using also the Python language. Functional testing has been conducted on the prototype in a use case scenario with two users connecting to the NED. Each user connecting to the NED will go through these steps: • Trusted Channel establishment: a VPN tunnel using IPsec is established towards the NED. The IPsec handshake is not completed until the user terminal receives a trusted verification report from the Verifier. This report proves that the certificate used by the NED to create the secure channel is controlled by the software actually in use, and the software running in the NED is benign and in the latest version. • User Authentication: the PSCM is now reachable and the user can authenticate in the SECURED system. • TVD instantiation by TVDM: the authentication triggers the TVD instantiation and configuration (PSC and PSAs VMs are deployed). Once the TVD is configured users are finally able to reach the Internet taking advantage of the NED security controls (e.g. in Fig. 1 user1 and user2 both have the firewall PSA but with different policies enforced). IV. C ONCLUSIONS AND FUTURE WORK With the prototype implementation we demonstrated the feasibility of the presented architecture. The system architecture, including also the external infrastructure architecture [3], is easily mapped to an NFV deployment and a design compatible with the ETSI standard [4] is currently under development. The concept of the Service Graph allows for complex modeling of VNFs chaining, becoming an NFV enabler. The security paradigm shift towards the network edge explores the new possibility offered by Fog Computing, a scalable architecture which will be an IoT key technology [5] [6]. Finally the Trusted Computing techniques here investigated focus on the concepts of Remote Attestation, an ongoing research topic which can provide authentic evidence about the integrity status of the platform. ACKNOWLEDGMENT The research described in this paper is part of the SECURED project [2], co-funded by the European Commission under the ICT theme of FP7 (grant agreement no. 611458). R EFERENCES [1] TCG infrastructure working group, “TCG architecture part ii: Integrity management. tcg specification version 1.0, revision 1.0.” [2] “Security at the network edge (SECURED),” http://www.secured-fp7.eu/. [3] D. Montero, M. Yannuzzi, A. Shaw, L. Jacquin, A. Pastor et al., “Virtualized security at the network edge : A user-centric approach,” IEEE Communications, to appear, 2015. [4] ETSI NFV ISG, “NFV white paper ver. 2,” https://portal.etsi.org/nfv/nfv white paper2.pdf, 2013. [5] F. Bonomi, R. Milito, J. Zhu, and S. Addepalli, “Fog computing and its role in the Internet of things,” in Workshop on Mobile Cloud Computing (MCC), 2012, pp. 13–16. [6] M. Yannuzzi, R. Milito, R. Serral-Gracia, D. Montero, and M. Nemirovsky, “Key ingredients in an IoT recipe: Fog computing, Cloud computing, and more Fog computing,” in Int. Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), 2014, pp. 325–329.
© Copyright 2024